diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/lib/firejail_user.c | 8 | ||||
-rw-r--r-- | src/man/firejail-users.txt | 20 |
3 files changed, 21 insertions, 10 deletions
@@ -5,6 +5,7 @@ firejail (0.9.56~rc1) baseline; urgency=low | |||
5 | * modif: removed compile time --disable-bind | 5 | * modif: removed compile time --disable-bind |
6 | * modif: --net=none allowed even if networking was disabled at compile | 6 | * modif: --net=none allowed even if networking was disabled at compile |
7 | time or at run time | 7 | time or at run time |
8 | * modif: allow system users to run the sandbox | ||
8 | * support wireless devices in --net option | 9 | * support wireless devices in --net option |
9 | * support tap devices in --net option (tunneling support) | 10 | * support tap devices in --net option (tunneling support) |
10 | * allow IP address configuration if the parent interface specified | 11 | * allow IP address configuration if the parent interface specified |
@@ -13,7 +14,7 @@ firejail (0.9.56~rc1) baseline; urgency=low | |||
13 | * add --private-cache to support private ~/.cache | 14 | * add --private-cache to support private ~/.cache |
14 | * support full paths in private-lib | 15 | * support full paths in private-lib |
15 | * globbing support in private-lib | 16 | * globbing support in private-lib |
16 | * support for local user directories in firecfg | 17 | * support for local user directories in firecfg (--bindir) |
17 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, | 18 | * new profiles: ms-excel, ms-office, ms-onenote, ms-outlook, ms-powerpoint, |
18 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, | 19 | * new profiles: ms-skype, ms-word, riot-desktop, gnome-mpv, snox, gradio, |
19 | * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, | 20 | * new profiles: standardnotes-desktop, shellcheck, patch, flameshot, |
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index c7af14254..b0f56a19a 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -107,10 +107,8 @@ int firejail_user_check(const char *name) { | |||
107 | if (strcmp(name, "root") == 0) | 107 | if (strcmp(name, "root") == 0) |
108 | return 1; | 108 | return 1; |
109 | 109 | ||
110 | // other system users will run the program as is | 110 | // user nobody is never allowed |
111 | uid_t uid = getuid(); | 111 | if (strcmp(name, "root") == 0) |
112 | assert(uid_min > 0); | ||
113 | if (((int) uid < uid_min && uid != 0) || strcmp(name, "nobody") == 0) | ||
114 | return 0; | 112 | return 0; |
115 | 113 | ||
116 | // check file existence | 114 | // check file existence |
@@ -155,7 +153,7 @@ void firejail_user_add(const char *name) { | |||
155 | struct passwd *pw = getpwnam(name); | 153 | struct passwd *pw = getpwnam(name); |
156 | if (!pw) { | 154 | if (!pw) { |
157 | fprintf(stderr, "Error: user %s not found on this system.\n", name); | 155 | fprintf(stderr, "Error: user %s not found on this system.\n", name); |
158 | return; | 156 | exit(1); |
159 | } | 157 | } |
160 | 158 | ||
161 | // check the user is not already in the database | 159 | // check the user is not already in the database |
diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index c29de0705..88b4041b0 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt | |||
@@ -4,13 +4,13 @@ firejail.users \- Firejail user access database | |||
4 | 4 | ||
5 | .SH DESCRIPTION | 5 | .SH DESCRIPTION |
6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. | 6 | /etc/firejail/firejail.users lists the users allowed to run firejail SUID executable. |
7 | If the file is not present in the system, all users are allowed to use the sandbox. | 7 | root user is allowed by default, user nobody is never allowed. |
8 | root user is allowed by default. Other system users (users with an ID below UID_MIN value | ||
9 | defined in /etc/login.defs, typically 1000) are not allowed to start the sandbox. | ||
10 | 8 | ||
11 | If the user is not allowed to start the sandbox, Firejail will attempt to run the | 9 | If the user is not allowed to start the sandbox, Firejail will attempt to run the |
12 | program without sandboxing it. | 10 | program without sandboxing it. |
13 | 11 | ||
12 | If the file is not present in the system, all users are allowed to use the sandbox. | ||
13 | |||
14 | Example: | 14 | Example: |
15 | 15 | ||
16 | $ cat /etc/firejail/firejail.users | 16 | $ cat /etc/firejail/firejail.users |
@@ -34,11 +34,23 @@ By default, running firecfg creates the file and adds the current user to the li | |||
34 | 34 | ||
35 | See \fBman 1 firecfg\fR for details. | 35 | See \fBman 1 firecfg\fR for details. |
36 | 36 | ||
37 | .SH ALTERNATIVE SOLUTION | ||
38 | An alternative way of restricting user access to firejail executable is to create a special firejail user group and | ||
39 | allow only users in this group to run the sandbox: | ||
40 | |||
41 | # addgroup firejail | ||
42 | .br | ||
43 | # chown root:firejail /usr/bin/firejail | ||
44 | .br | ||
45 | # chmod 4750 /usr/bin/firejail | ||
46 | |||
47 | |||
37 | .SH FILES | 48 | .SH FILES |
38 | /etc/firejail/firejail.users | 49 | /etc/firejail/firejail.users |
39 | 50 | ||
40 | .SH LICENSE | 51 | .SH LICENSE |
41 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | 52 | Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License |
53 | as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. | ||
42 | .PP | 54 | .PP |
43 | Homepage: https://firejail.wordpress.com | 55 | Homepage: https://firejail.wordpress.com |
44 | .SH SEE ALSO | 56 | .SH SEE ALSO |